RE: session logging IDS

["Bob Walder" <bwalder () spamcop net>]

Technically (theoretically?) this can be done..... But just think of all
the data that the IDS/IPS would need to buffer to be able to provide you
with ALL session data for each session where an alert is raised. ;o)
Don't forget that EVERY open session has to be tracked JUST IN CASE an
alert is raised at some point - not v practical, even at 100Mbps

Products like IntruShield are capable of buffering x packets before an
alert is raised to try and provide some context for the alert. Cisco do
something similar, but they just provide you with the context buffer
(fixed size), which is actually more useful in most cases. ISS Proventia
also gathers lots of data on each session tracked now so that when an
alert is raised it can give you lots of interesting context data - such
as the user name and password used to log in to an FTP server, for
example - in addition to the item that actually triggered the alert.

Some companies specialise in producing "forensic recorders" - Niksun,
for example (there are others that I cannot remember off the top of my
head - and I *BELIEVE* - not sure - that that is actually how NFR
started life?) which are simply designed to catch huge wodges of data at
wire speed. You could use those to capture ALL your traffic and let the
IDS/IPS do its job - then you can HOPE that you can find the session
that contains the alert your IDS/IPS found. One or two vendors are
talking about integrating with such recording devices, such that they
sorta "sync" their session tracking, and when an alert is raised they
flag the forensic recorder to keep a particular session in its entirety
- not here yet though. 

See our IPS report at www.nss.co.uk/ips for more info - for those who
have been there before, you might be interested to know that we have
dropped that annoying form you had to fill in before you got to the
reports ;o)

Maybe we should look at testing these forensic recorders in a group test
- any vendors interested? 

Regards,

Bob Walder
The NSS Group





> > -----Original Message-----
> > From: Martin Roesch [mailto:roesch () sourcefire com] 
> > Sent: 30 August 2004 20:48
> > To: Raj Malhotra
> > Cc: focus-ids () securityfocus com
> > Subject: Re: session logging IDS
> >
> >
> > Do you want to log the entire session always on a specific port or 
> > between two IPs or are you looking to log the entire session 
> > if there's 
> > a detect on it?
> >
> >       -Marty
> >
> > On Aug 30, 2004, at 7:17 AM, Raj Malhotra wrote:
> >
> > > Hello all,
> > >
> > > We are evaluating available NIDS products which would work 
> > at 100 mbps 
> > > and would also do "session logging". By "session logging", 
> > we would 
> > > want the IDS to log the "entire session" and not just the session 
> > > "after" an intrusion is detected.
> > >
> > > We saw a couple of IDS which would probably be able to do something
> > > like this,
> > > Cisco IDS
> > > Intrushield
> > >
> > > Cisco offers session logging as well as replay.
> > > Intrushield says something like "Highly customized capture of 
> > > individual packet, individual session, specific 
> > source/destination, or 
> > > entire traffic stream upon attack detection" which might 
> > be translated 
> > > as "logging of the session only after an attack has been detected".
> > >
> > > Can anyone tell us more about these or any such IDS that 
> > are available 
> > > which can  log the entire session.  Also, has anyone used 
> > any of these 
> > > and with what degree of success? You can mail us back off 
> > the list if 
> > > you so wish so.
> > >
> > > thanks
> > > Raj
> > -- 
> > Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> > Sourcefire: Intelligent Security Monitoring 
> > roesch () sourcefire com - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org